Wordpress Protect Admin with Second Domain

Hi all,

I have been using jordemort/traefik-forward-auth for protecting my applications with SSO with great success. Up until this point, all protections have been application-wide. But now, I'm looking to host a small wordpress site behind Traefik and am wondering how I can approach this.

Behavior I want:

  1. The Wordpress site should be visible at example.com and www.example.com
  2. The admin panel should be reachable from wp.example.com (can simply redirect to wp-login)
  3. The path prefixes /wp-login.php /admin and /wp-admin should be inaccessible from any domain other than wp.example.com
  4. I want wp.example.com to be protected by my SSO forward-auth middleware so you can't even reach the admin login page without first authenticating via SSO (this will ensure my AAD "Wordpress Managers" group is the only one with users who can access it)

How can I best approach this?

Following this approach, it looks like I can protect those specific routes with any middleware, but ideally, you wouldn't be able to see www.example.com/wp-admin at all and MUST use wp.example.com/wp-admin in order to administer it:

IMHO that won’t work, as Wordpress always uses a single domain (in Settings, "Wordpress address" and "Site address"), and redirects to it, if you access it with a different domain.